FEBRUARY 2021 - Center for Democracy and Technology
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Proposed
Consumer
110110
101110
Privacy
FRAME-
000110
0101100101011110101
1110101101001010100
0010100110001110110
111001
000101
WORK
101110
for
Health
Data
FEBRUARY 2021
About Center for Democracy & Technology The Center for Democracy & Technology is a 25-year-old nonprofit, non-partisan organization working to promote democratic values by shaping technology policy and architecture. For more information, visit cdt.org. About eHealth Initiative & Foundation eHealth Initiative & Foundation (eHI) convenes executives from every stakeholder group in healthcare to discuss, identify, and share best practices to transform the delivery of healthcare using technology and innovation. eHI, along with its coalition of members, focuses on education, research, and advocacy to promote the use and sharing of data to improve healthcare. Our vision is to harmonize new technology and care models in a way that improves population health and consumer experiences. eHI has become a go-to resource for the industry through its eHealth Resource Center. For more information, visit ehidc.org. Acknowledgements This framework is made possible with the support of the Robert Wood Johnson Foundation, and with assistance from our Steering Committee. Special thanks to members of our two work groups for their invaluable engagement help and for their guidance. A list of select Steering Committee members can be found in the Appendix.
Proposed Consumer Privacy Framework for Health Data
Proposed Consumer Privacy
Framework for Health Data
Table of Contents
Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Introduction and Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Project Goals and Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Value of This Proposal for Different Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Substantive Standards and Policy Rationale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Collection and Processing of Consumer Health Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
I. Obligations for Participating Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
II. Consumer Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
III. Notice and Transparency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
IV. Consent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
V. Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Proposed Self-Regulatory Program: Policy Rationale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Addressing Consumer Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Program Goals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Establishment of a New Self-Regulatory Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Consumer and Participant Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Incorporation of Feedback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Self-Regulatory Program for Non-HIPAA Healthcare Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Steering Committee Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3Proposed Consumer Privacy Framework for Health Data
Executive Summary
Introduction and Background
Health data—or data used for health-related purposes—is not regulated by a single national privacy
framework. Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has governed the
use and disclosure of certain health information held by certain entities such as doctors and insurance
companies. However, with the rise of wearable devices, health and wellness apps, online services, and
the Internet of Things, extraordinary amounts of information reflecting mental and physical well-being
are created and held by entities that are not bound by HIPAA obligations. This issue has only gained
importance, as new regulations finalized in the spring of 2020 will also ease and promote the movement
of previously HIPAA-covered medical records into this commercially facing, non-HIPAA-covered and
unregulated space.1 The novel coronavirus has also thrust the issue of patient data privacy to the
forefront, as efforts to trace and combat the spread of the virus have brought with them the relaxation of
some federal privacy protections as well as increased data collection and use.
Project Goals and Process
With funding from the Robert Wood Johnson Foundation, the eHealth Initiative (eHI) and the Center
for Democracy & Technology (CDT) collaborated on a Consumer Privacy Framework for Health Data,
with invaluable engagement and help from a steering committee of leaders from healthcare entities,
technology companies, academia, and organizations advocating for privacy, consumer, and civil rights.
This steering committee helped guide eHI and CDT during the development of this framework.
Specifically, the framework consists of a set of detailed use, access, and disclosure principles and
controls for health data that are designed to address the gaps in legal protections for health data outside
HIPAA’s coverage. The framework also includes a proposed self-regulatory program to hold companies
accountable to such standards. Non-HIPAA-covered entities would voluntarily hold themselves to a
set of standards and subject themselves to potential enforcement mechanisms beyond current Federal
Trade Commission (FTC) processes. Even outside this program, the authors hope that the substantive
standards will serve as a benchmark to shape industry conduct and influence companies’ approaches to
ensure users’ health data is protected.
1
85 Fed. Reg. 25642 (May 1, 2020) and 85 Fed. Reg. 25510 (May 1, 2020). For a comprehensive review of the current legal
landscape governing health data and the gaps in protection for the same, please see Belfort, R., Dworkowitz, A., Bernstein,
William S., Pawlak, B. and Yi, P. A Shared Responsibility: Protecting Health Data Privacy in an Increasingly Connected World,
June 2020, available at http://www.manatt.com/Manatt/media/Media/PDF/White%20Papers/Healthcare-Whitepaper-RWJF-
Protecting-Consumer-Health-Data-Privacy-in-an-Increasingly-Connected-World_e.pdf (Manatt White Paper).
4Proposed Consumer Privacy Framework for Health Data
The standards emphasize transparency, accountability, and appropriate limitations on health data
collection, disclosure, and use. Importantly, the standards:
1. Move beyond outdated models that place too much emphasis on notice and consent and fail to
articulate data use limits;
2. Cover all information that can be used to make inferences or judgments about a person’s physical or
mental health; and
3. Cover all non-HIPAA-covered entities that collect, disclose, or use consumer health information,
regardless of the size or business model of the covered entity.
With respect to the self-regulatory program, the framework seeks to balance the need for enforcement
mechanisms that will effectively hold companies responsible and promote consumer trust, while ensuring
the program is workable enough for potential participating entities to join. This is a challenging balance,
which the authors know will rely on entities participating in good faith.
Importantly, this proposal is not designed to be a replacement for new and necessary comprehensive data
privacy legislation. Indeed, we believe strongly in the need for such a law and support all efforts to date
that have served to build momentum for one. Given that congressional action is likely some time away and
would take additional time to go into effect, this effort is designed to build support for best practices and
enable us to take what action we can now, in the interim, to shore up protections for non-HIPAA-covered
health data. We hope that some of the tenets of our proposal can and will be helpful to federal lawmakers
in their future efforts.
Value of This Proposal for Different Stakeholders
Consumers. This model raises the bar for consumer privacy. Some existing best practices and voluntary
frameworks define health information quite narrowly and do not cover all the data that reflects mental
or physical wellbeing or health. Many best practices are also often targeted at a specific type of app or
service instead of all entities that collect and use health data. Our comprehensive proposal closes these
gaps in coverage.
Substantively, our draft goes beyond outdated models that revolve primarily around notice and consent.
While transparency and consent remain important elements within the framework, many of the core
privacy-protecting provisions of this framework are focused on how consumer health information is
collected, disclosed, and used. Although older laws or frameworks may have made sense in decades
past, people can no longer make informed and timely decisions about all the different websites, apps,
and devices they use every day given the proliferation in the number of available technologies and the
length, details, and lack of clarity of their terms of service. By putting clear restrictions on the collection,
disclosure, and use of data, the proposed framework shifts the burden of privacy risk off users and onto
the companies.
5Proposed Consumer Privacy Framework for Health Data
Finally, because our model borrows the best concepts from Europe and California, users will benefit from
the heightened protections developed in those regions even if their local laws have not been updated with
more modern data privacy protections.
Non-HIPAA-covered technology companies that collect health information. Entities that elect to
participate and adopt the framework will also benefit. First, they will stay ahead of the regulatory curve.
By making pro-privacy decisions now, they will avoid having to make product changes that could be more
expensive, time-consuming, or complicated in response to future regulation.
Second, while entities will be able to develop and offer the product a consumer requests, they will be
deterred from collecting and using health data they do not actually need. This should reduce legal risks
in a world where consumers and enforcement agencies expect more from companies that handle data.
Participating entities may also see significant reputational and thus commercial benefit in an increasingly
crowded market.
Finally, this model has the potential to provide some compliance certainty for participants. By adopting
more forward-looking privacy practices, companies and organizations will avoid the gray or evolving
areas of existing laws. Especially for smaller or newer companies having difficulty fully understanding their
numerous federal and state legal obligations, which can often be unclear and/or conflicting, compliance
with our framework’s standards would provide some assurance that participants are staying ahead of
various potential federal and state requirements.
Regulators and oversight bodies. Congress, the FTC and their state-level counterparts will benefit from
companies committing to a common set of publicly available data practices. This commitment will allow
these governmental bodies to enforce these practices, which will be more explicit than many existing
company privacy policies. Instead of engaging in complicated investigations and balancing tests, these
entities will be able to measure compliance more easily and better allocate their limited enforcement
resources.
Traditional healthcare system entities. Finally, although this framework is geared toward companies
that operate outside the traditional healthcare system and thus are not subject to the obligations
and protections of HIPAA, our framework will benefit HIPAA-covered entities as well. The framework
recognizes the importance of research and establishes clear standards for when research relying on
consumer health information is permitted.
Moreover, the release of the Centers for Medicare & Medicaid Services and Office of the National
Coordinator for Health Information Technology final rules regarding interoperability and information-
blocking means that consumers will soon have greater access than ever to their own health data. By virtue
of the framework, providers and consumers alike will have a far easier time choosing applications for this
data transfer that adhere to meaningful and robust privacy practices.
6Proposed Consumer Privacy Framework for Health Data
Substantive Standards and
Policy Rationale
For any follow-up questions, kindly contact Andrew Crawford at CDT (acrawford@cdt.org).
In addition to the text of the framework, throughout this section we include blue fields containing
summaries of the feedback we received, policy rationale, and explanations for each section.
Definitions
1. Affirmative Express Consent
a. In general - The term “affirmative express consent” means an affirmative act by a
consumer that clearly communicates the consumer’s authorization for an act or practice,
in response to a specific request that:
i. Is provided to the consumer in a clear and conspicuous disclosure that is separate from
other options or acceptance of general terms; and
ii. Includes a description of each act or practice for which the consumer’s consent is
sought that:
(A) Is written concisely and in an easy-to-understand manner that is accessible to all
consumers; and
(B) Includes clear headings that would enable a reasonable consumer to identify and
understand the act or practice.
b. Express consent required - Affirmative express consent shall not be inferred from the
inaction of a consumer or the consumer’s continued use of a service or product.
c. Voluntary - Affirmative express consent shall be freely given and nonconditioned.
Much of the data covered by this framework is inherently sensitive on its own or when used in certain
ways. When the collection, use, or sharing of certain data is conditioned on consent, it is crucial
that consent be meaningful. It has been repeatedly documented that terms that appear in lengthy
privacy policies do not meet this standard. To that end, this definition requires the clear and thorough
presentation of information to users and clarifies that consent cannot be inferred from consumer
inaction. Moreover, consumer consent must be voluntary and cannot be conditioned (for example, with
a condition that unnecessary data be collected as part of a sale). This approach is also consistent with
the FTC’s approach, other frameworks, and bipartisan constructions of affirmative express consent
introduced during the 116th Congress, including comprehensive privacy legislation and legislation that
would cover consumer health information.
7Proposed Consumer Privacy Framework for Health Data
2. Aggregated Health Data - The term “aggregated health data” means health data that relates
to a group or category of individuals but cannot reasonably be used to infer information about,
or otherwise be linked to, an individual, a household, or a device used by an individual or a
household.
A participating entity in possession of aggregated health data shall:
a. Take reasonable measures to safeguard the aggregated health data from reidentification,
including the adoption of technical and organizational measures to ensure that the
information is not linked to any individual, household, or device used by an individual or a
household;
b. Publicly commit in a conspicuous manner not to attempt to reidentify or associate the
aggregated health data with any individual, household, or device used by an individual or a
household; and
c. Contractually require the same commitments from recipients of all transfers of
aggregated health data.
This framework recognizes that properly aggregated data may pose fewer privacy risks
to individuals, families, and communities. As a result of that reduced privacy risk and the
offsetting public benefit of some uses of aggregated data, this framework permits certain uses
of aggregated data for research purposes or internal analysis (see Section V). Importantly,
aggregation is not a silver bullet in protecting individual privacy. This framework requires covered
entities to safeguard aggregated health data from reidentification and to contractually require the
same commitment from any entity that receives the aggregated data.
We received comments asking for greater clarification around the definitions of both aggregated
and de-identified data. It is critical for these definitions to be clear because aggregated and de-
identified data sets are subject to different use limitations under the framework. To address these
comments, the definitions of aggregated and de-identified health information have been modified
to make clear that they are not subsets of consumer health information. Additional clerical edits
have also been made to these definitions to ensure consistency of terms and approach.
8Proposed Consumer Privacy Framework for Health Data
3. Consumer - The term “consumer” means an individual, including minors.
Comments received about this section asked whether minors are included within the definition
of consumer. Minors face the same potential harms when their health data is misused or used in
unintended ways and should have the same protections as everyone else under the framework. To
address this feedback, we have now included a reference to minors within the definition to clearly
indicate that they are included.
4. Consumer Health Information - The term “consumer health information” means:
a. Any information, recorded in any form or medium, that is created or received by
an entity and:
i. Relates to or is used to determine, predict, or estimate the past, present, or future
physical or mental health condition of an individual; or
ii. Relates to the provision of healthcare to an individual.
b. The following data sets regardless of the purpose or outcome of the collection, disclosure,
or use:
i. Genetic data;
ii. Data that reflects a particular disease or condition;
iii. Data that reflects any substance use disorder;
iv. Data that reflects reproductive health; and
v. Data that reflects disability.2
c. Exclusions - Consumer health information does not include:
i. Protected health information (PHI) held or maintained by a HIPAA-covered entity or
business associates acting for the covered entity.
2
As defined under the Americans with Disabilities Act of 1990, available at https://www.ada.gov/pubs/adastatute08.htm.
9Proposed Consumer Privacy Framework for Health Data
This definition intentionally rejects previous notions of “health data” that are limited to the direct
provision of health services by a professional. It also avoids the approach taken by some other
voluntary frameworks that create a list of health conditions that qualify for protection. This
definition instead focuses on the nature of the information and how it is used. It recognizes that
all data can be “health data” if it is used for those purposes, even if it appears unrelated on its face.
To that end, subsection (a) covers all data that a participant collects, shares, or uses for health
purposes. Examples of some of these data sets are as follows:
• Data that reflects racial and ethnic origin;
• Biometric data; and
• Data that reflects sexual orientation.
Subsection (b) declares that certain sensitive health information shall always be subject to the
framework, regardless of the context of its use.
A purpose- and use-based approach to this definition has several benefits. First, it benefits
consumers by raising the bar for all the data that is used to impact their health and wellness.
Modern data use is complex, opaque, and instantaneous. Trying to delineate distinct data
sets as worthy of coverage and others as not no longer makes sense for the people whose
information is implicated. Second, it creates a tech-neutral standard that will stay relevant as
technology evolves.
We received a number of thoughtful and detailed comments about this section. Several of the
comments focused on the broad nature of the definition. We took this feedback seriously. To
address these points, the definition has been refined to clarify when certain data sets, such as
racial and biometric data, will be treated as consumer health information. These edits focus the
framework’s protections on data sets that are collected, disclosed, and used for health purposes
while still recognizing that certain types of data are always consumer health information. Finally,
the addition of the exclusion section is intended to make clear that this framework is focused on
consumer health information that is not covered by HIPAA.
10Proposed Consumer Privacy Framework for Health Data
5. De-identified Health Data - The term “de-identified health data” means health data that
cannot reasonably be used to infer information about, or otherwise be linked to, an individual, a
household, or a device used by an individual or a household.
A participating entity in possession of de-identified health data shall:
a. Take reasonable measures to safeguard the de-identified health data from reidentification,
including the adoption of technical and organizational measures to ensure that the
information is not linked to any individual, household, or device used by an individual or a
household;
b. Publicly commit in a conspicuous manner not to attempt to reidentify or associate the
de-identified health data with any individual, household, or device used by an individual or a
household; and
c. Contractually require the same commitments from recipients of all transfers of the de-
identified health data.
Properly de-identified data may pose fewer privacy risks to individuals, families and communities.
As a result of that reduced privacy risk and the offsetting public benefit of some uses of de-
identified health data, this framework permits certain uses of this data for research purposes
or internal analysis (see Section V). De-identification is not a silver bullet in protecting individual
privacy. This framework requires covered entities to safeguard de-identified health data from
reidentification and to contractually require the same commitment from any entity that receives
the de-identified data.
We received a number of comments about this definition that are discussed under the definition
of aggregated health data above. Additionally, we received comments specifically about de-
identified data. Those comments focused on de-identified health data carrying a greater potential
to be reidentified compared to aggregated health data. While it is not possible to completely
eliminate the risk of reidentification, the definition requires participating entities to not reidentify
this data.
11Proposed Consumer Privacy Framework for Health Data
6. Participating Entity - The term “participating entity” means an entity that collects, gathers,
or uses consumer health information in any form or medium for nonpersonal purposes and
that adopts this framework.
This has been drafted broadly in an effort to capture all entities that collect and/or use consumer
health information. It no longer makes sense for consumers to have different rights depending on
what entities hold their information.
We received some comments seeking greater clarification regarding how this framework would
apply to entities that may have certain data sets that are covered by HIPAA while others are
not. This framework is focused on non-HIPAA-covered data and is intended to increase privacy
protections around data sets that currently fall outside HIPAA’s coverage while not creating
overlapping or conflicting requirements for participating entities.
7. Privacy Review Board - The term “privacy review board” means an independent board that:
a. Is composed of at least three members;
b. Has members with varying backgrounds and appropriate professional competency as
necessary to review the effect of the research protocol on the individual’s privacy rights
and related interests;
c. Includes at least two members who are not affiliated with the participating entity, not
affiliated with any entity conducting or sponsoring the research, and not related to any
person who is affiliated with any of such entities;
d. Includes at least one member who is a consumer representative with experience working in
the consumer health context; and
e. Does not have any member participating in a review of any project in which the member
has a conflict of interest.
For the purposes of this definition, an institutional review board (IRB) or a privacy board as
contemplated under the HIPAA Privacy Rule shall satisfy this definition so long as the IRB or
privacy board meets the composition requirements of this provision.
12Proposed Consumer Privacy Framework for Health Data
Review boards inject valuable, independent professional review for certain proposed uses of
consumer health data. Large and consequential uses of consumer health information will benefit
from this independent scrutiny. In an effort to stay consistent and not introduce a host of new
terms or requirements, this definition is heavily influenced by similar provisions within HIPAA and its
accompanying regulations.
We received comments regarding the composition of privacy review boards. Because the framework
is focused on health information, any consumer representative must have experience working on
consumer health issues to best protect consumers’ rights. The definition also makes it clear that IRBs
and privacy boards satisfy this requirement so long as they meet each element within the definition.
8. Publicly Available Information - The term “publicly available information” means any
information that:
a. Has been lawfully made available to the general public from federal, state, or local
government records;
b. Is published in a telephone book or an online directory that is widely available to the general
public on an unrestricted basis;
c. Is video, audio, or Internet content published in compliance with the host site’s terms of
use and available to the general public on an unrestricted basis; or
d. Is published by a news media organization to the general public on an unrestricted basis.
For the purposes of this definition, information is not restricted solely because there is a login
requirement associated with accessing the information or a fee. When a user of a social media
service creates or shares information on that service, such information is restricted unless it is
freely accessible to anyone using the service.
Like many proposals, this framework recognizes that there is individual and societal value in
the free flow of information and that even health data may receive reduced protections when it
has legitimately been made public. We have tried to craft this definition to capture truly public
information while not being overly broad. We also clarify that traditional sources of news, such
as newspapers, whose digital presence may have a login and/or small cost associated with their
service, are still considered well within the public sphere.
We received several comments regarding publicly available information. Specifically, to address
comments about information that requires a fee for access, we eliminated a specific dollar amount
in an effort to account for several services that have varying fee schedules.
13Proposed Consumer Privacy Framework for Health Data
9. Research - The term “research” means a systematic investigation, including research
development, testing, and evaluation, designed to develop or contribute to generalizable
knowledge.
This definition is heavily influenced by similar provisions within HIPAA, the Common Rule regarding
federal human subjects and their respective regulations. This definition permits public interest
research to continue while avoiding a loophole that could be used to justify any type of commercial
data research.
Collection and Processing of Consumer
Health Information
I. Obligations for Participating Entities
Currently, the burden of ensuring sufficient privacy protections around health data
disproportionately falls on consumers. This portion of the framework focuses on data collection
and use practices that ensure data is used for limited purposes consistent with consumer requests
and expectations. We have also included data security provisions.
A. Relation to Existing Federal, State, and Municipal Laws and Regulations
To the extent that any participating entity’s collection, disclosure, or use of consumer health information
is already governed by federal, state, and municipal laws and regulations, those legal obligations are not
affected by this framework.
This section is intended to make clear that framework participants must follow all applicable laws
and regulations in addition to offering consumers the higher level of protections included within
the framework.
14Proposed Consumer Privacy Framework for Health Data
B. Privacy and Security Protections
A participating entity shall offer the same levels of privacy and security protections and data rights
and controls to all consumers, regardless of whether the consumer is paying for services or receiving
them for free.
C. Permissible Collection and Use Practices for Consumer Health Information
A participating entity:
1. Shall not collect, disclose, or use consumer health information for any purpose other than the
purpose for which the data was originally collected, disclosed, or used;
2. Shall limit the amount of consumer health information collected, disclosed, or used to only
what is necessary to provide the product or feature the consumer has requested; and
3. Shall take reasonable efforts to contractually obligate third parties and service providers with
whom it discloses consumer health information to also meet the obligations of this framework.
This section is intended to categorically prohibit secondary uses of health data that do not fall
under one of the clearly defined exceptions to this framework. If a participating entity would like
to offer a new product or functionality or repurpose data for any reason, it must seek affirmative
consent for that new use. In no instance should terms of service serve as justification for
secondary uses of data. Data collection and use limits carry through to third parties. Consumers
should be protected without having to take additional steps to monitor how their data is being
used by third parties.
This section is likely to curb some current behavioral advertising and commercial product
development activities that do not avail themselves of one of the other exceptions, such as the
use of de-identified data. We understand this approach is more stringent than other voluntary
frameworks and legal standards, but we believe health data warrants the protection.
To address comments regarding the obligations section, we have clarified that a covered entity
shall take reasonable efforts to contractually obligate third parties and service providers. This
approach better aligns the framework with similar privacy protections found in other proposals
and industries, and provides participating entities and consumers with greater assurance that the
framework’s protections carry though to third parties.
15Proposed Consumer Privacy Framework for Health Data
D. Consumer Health Information Retention
A participating entity:
1. Shall maintain consumer health information for a period of time only as long as necessary to
carry out the purpose(s) for which the consumer health information was collected; and
2. Shall delete all consumer health information once there is no longer a valid reason to retain it.
There should be clear and reasonable limits on the length of time consumer health information
may be maintained by participating entities. Retention limits benefit both consumers and
participants. Less data can lessen the impact of breaches and ensure that decisions are not made
on stale, old, and incorrect data and produces lower storage and security costs. These limits are
consistent with limits in other existing proposals and regulations.
E. Prohibitions on the Use of Consumer Health Information to Harm or Discriminate Against
Consumers
1. A participating entity shall not collect, disclose, or use consumer health information to
discriminate against consumers.
2. A participating entity shall not collect, disclose, or use consumer health information when
making significant eligibility determinations, including housing, employment, healthcare, and
other significant determinations.
3. A participating entity shall not draw inferences from a consumer’s refusal to use or cessation
of use of a platform, product, app, or digital health tool that could lead to discrimination,
stigmatization, harmful profiling, or exploitation.
Consumer health information is inherently sensitive. It should not be collected, disclosed, or used
in ways that harm or discriminate against consumers, or limit consumers’ access to critical life
services or opportunities.
To address comments regarding the use of consumer health information to harm consumers, we
have included an additional provision within this section. Specifically, the additional section makes
it clear that a consumer’s decision to not use or to stop using a specific product or service shall not
have any negative or harmful consequences.
16Proposed Consumer Privacy Framework for Health Data
F. Security
1. A participating entity shall establish and implement reasonable information security policies,
practices, and procedures for the protection of consumer health information, taking into
consideration:
a. The nature, scope, and complexity of the activities engaged in by such participating entity;
b. The sensitivity of any consumer health information at issue;
c. The current state of the art in administrative, technical, and physical safeguards for
protecting such information; and
d. The cost of implementing such administrative, technical, and physical safeguards.
2. Requirements - The policies, practices, and procedures required in subpart (1) of this section
must include the following:
a. A written security policy with respect to the collection, retention, and use of such
consumer health information;
b. The identification of an officer or other individual as the point of contact with responsibility
for the management of information security;
c. A process for identifying and assessing reasonably foreseeable security vulnerabilities in
any systems maintained by such participating entities that contain such consumer health
information, which shall include regular monitoring for vulnerabilities and breaches of
security of such systems;
d. A process for taking action designed to mitigate against vulnerabilities identified in the
process required by subparagraph (c)—which may include implementing any changes
to security practices and the architecture, installation, or implementation of network or
operating software—or for regularly testing or otherwise monitoring the effectiveness of
the existing safeguards;
e. A process for determining whether consumer health information is no longer needed
and for disposing of consumer health information by shredding, permanently erasing,
or otherwise modifying the personal information contained in such data to make such
consumer health information permanently unreadable or indecipherable;
f. A process for overseeing persons who have access to consumer health information,
including through network-connected devices;
g. A process for employee training and supervision for implementation of the policies,
practices and procedures required by this subsection; and
17Proposed Consumer Privacy Framework for Health Data
h. A written plan or protocol for internal and public response in the event of a breach
of security.
This section imposes a “reasonable” security requirement on participants that is consistent
with FTC enforcement and the laws in many states. Because “reasonable” is scaled to the
sensitivity of the data, the way it is used, and the state of technology, participants’ obligations
will be commensurate with the business and engineering decisions they make. The processes
required here are also flexible and outcome-based, which is usable for participants of all sizes
and sophistication.
II. Consumer Controls
A. Consumer Rights With Respect to Consumer Health Information
1. Consumers’ Rights to Access, Correct, and Delete Consumer Health Information:
a. A participating entity shall provide a consumer with a free, clear, and easy process
for requesting personal consumer health information within the participating
entity’s possession.
b. A participating entity shall provide a consumer with a free, clear, and easy process for
requesting and receiving a list of all other affiliates, service providers, and third parties that
have received, licensed, or purchased their consumer health information:
i. If a participating entity has shared, licensed, or sold consumer health information to
another entity that contracts with one or more individuals who act as independent
contractors to provide a benefit (such as transportation, deliveries, or another
immediate benefit) directly to a consumer, the participating entity must identify the
other entity, but need not list or identify any end-service providers.
c. A participating entity shall provide a consumer with a free, clear, and easy process for
requesting corrections or deletions to any inaccurate information within the consumer
health information in the participating entity’s control.
d. A participating entity shall make reasonable efforts to correct or delete a consumer’s
health information based on a consumer’s request for correction or deletion.
e. When correction or deletion cannot occur, a participating entity shall provide the
requesting consumer with an explanation as to why the correction or deletion request
cannot be carried out.
18Proposed Consumer Privacy Framework for Health Data
To address comments regarding consumers’ ability to receive information about all other entities
that have received, licensed, or purchased their consumer health information, this section now
provides consumers with a clear mechanism to obtain this information. The additions to this
section are also necessary because of modifications made to the transparency requirements
above that now require that consumers receive information about the types of entities that will
receive, license, or purchase their consumer health information. This addition strikes a balance
between consumers’ interests and the compliance obligations of participating entities.
Additionally, we received comments that raised concerns regarding how information that was at
one time HIPAA-covered data (PHI) should be treated under this section. Specifically, commenters
raised concerns that a consumer’s medical records, records that were once covered by HIPAA
and may well be shared in the future with HIPAA-covered entities, should only be annotated
and not subject to broader correction and/or deletion requirements. While we recognize these
concerns, this framework is designed to operate outside HIPAA and give consumers greater
control over their health information. We encourage participating entities that collect, disclose, or
use these types of records to ensure that these consumer rights are made clear to everyone via
the framework’s transparency requirements. Moreover, medical professionals who may receive
this type of consumer health information should appreciate that the consumer, and not a HIPAA-
covered entity, is deciding what information they are sharing and proceed accordingly.
2. Consumers’ Portability Rights
a. Where technically feasible, a participating entity shall make available a reasonable means
for a consumer to download their health information that is retained by the participating
entity in a structured, standardized, and machine-readable interoperable format for the
consumer’s own use.
3. The Use of Consumer Health Information to Train or Be the Subject of Automated Systems or
Processes
a. A participating entity shall not collect, disclose, or use consumer health information
to train or be the subject of any automated, algorithmic, or artificial intelligence (AI)
application unless that entity has first:
i. Obtained affirmative express consent from a consumer for the use of their health
information in such applications, or
19Proposed Consumer Privacy Framework for Health Data
ii. Subjected the consumer health information to be collected, disclosed, or used to a
risk-based privacy assessment, any risks identified have been appropriately mitigated,
and the use is consistent with a reasonable individual’s expectations given the context
in which the individual provided or authorized the collection, disclosure, or use of their
consumer health information.
b. If the consumer health information served as an input for an automated system or process,
any resulting data that is produced or results from that automated system or process shall
be considered consumer health information if:
i. The resulting data relates to or is used to determine, predict, or estimate the past,
present, or future physical or mental health condition of an individual;
ii. The resulting data relates to the provision of healthcare to an individual; or
iii. The resulting data includes:
(A) Genetic data;
(B) Data that reflects a particular disease or condition;
(C) Data that reflects any substance use disorder;
(D) Data that reflects reproductive health; or
(E) Data that reflects disability.
c. Automated, algorithmic, or AI applications, processes and systems must be designed and
implemented by the participating entity to mitigate potential algorithmic bias, including
through design processes that regularly interrogate the variables and training data used,
measures that ensure transparency and explainability, and routine auditing.
We have drafted this section to include several consumer rights that are consistent with existing
domestic and international regulations and proposals.
To address comments regarding the use of data sets produced by automated, algorithmic, or
AI applications, processes, and systems that used consumer health information in the creation
of those subsequent data sets, this section has been modified to align with the framework’s
definitions to clarify when those new data sets shall be treated as consumer health information.
20Proposed Consumer Privacy Framework for Health Data
III. Notice and Transparency
Section I establishes data collection and use practices that ensure consumer health data is used
for limited purposes consistent with consumer requests and expectations. This section builds on
those critical protections and is designed to empower consumers with the information they need.
Notice and transparency serve two complementary functions. First, timely and meaningful notice
allows individuals to make informed decisions before they agree to have their health information
collected, disclosed, or used. Second, ongoing transparency requirements allow individuals to
revisit a participating entity’s data policies at a time of their convenience or keep up to date with
changing data uses. It also allows researchers, regulators, and advocates to track data use trends
and better understand companies’ practices. Because these purposes require different levels
of detail, the framework requires participating entities to prepare two sets of information. This
approach provides consumers with the information they need without overwhelming them, while
simultaneously providing more thorough information to be used over time or in the public interest.
A. Notice
A participating entity shall not collect, disclose, or use consumer health information as permitted under
Section I unless it first:
1. Clearly identifies the types of health information that will be collected;
2. Clearly states the purpose(s) that any health information is collected for;
3. Clearly states the data retention policies that will apply to the consumer’s health information;
4. States whether any health information will be disclosed and, if so, provides the user clear
information about the specific types of entities that will receive, license, or purchase the
consumer health information;
5. States the reason(s) any health information is disclosed;
6. Commits to promptly notifying consumers when policies and practices surrounding how their
health information will be collected, disclosed, or used have changed; and
7. Provides consumers with a description of their individual rights and a clear list of any consumer
controls that a participating entity has made available.
21Proposed Consumer Privacy Framework for Health Data
To address comments regarding greater transparency around data retention, this section now
contains a provision requiring participating entities to tell consumers how long they will retain the
consumers’ health information. Retention information can help consumers make informed choices
when selecting services and also allow consumers to act should they wish to obtain a copy of their
health information before it is no longer retained by an entity.
We also received several comments regarding the framework’s notice provisions. Specifically,
commenters noted that it may not be possible and/or may be overly burdensome to identify
every entity that may receive a consumer’s health information at the time they consent to
using a product. To address this, the notice provision now requires participating entities to
provide information about the types of entities that receive consumers’ health information. This
modification still permits consumers to make informed decisions when engaging a product for the
first time. If a user wishes to know the names of all the entities that may collect, use, or share their
information, they may find them in the transparency report required by the next section.
B. Transparency
A participating entity that collects, discloses, or uses consumer health information shall, with respect to
each service or product provided by the participating entity, publish:
1. A consumer-facing policy that:
a. Includes information regarding each element listed within the “Notice” section of this
framework; and
b. Is written in a manner that is succinct and easily understandable to a consumer.
2. A complete second and more detailed policy that includes:
a. Each element listed within the “Notice” section of this framework;
b. The manner in which consumer health information is collected; and
c. A detailed list of all affiliates, service providers, and third parties with whom the
participating entity has disclosed or plans to disclose consumer health information.
With regard to obligations of a participating entity to list other entities that will receive, license, or
purchase consumer health information, if the other entity is one that contracts with one or more
individuals who act as independent contractors to provide a benefit (such as transportation, delivery, or
another immediate benefit) directly to a consumer, the participating entity must identify the other entity,
but need not list or identify any end-service providers.
22Proposed Consumer Privacy Framework for Health Data
As a result of the comments we received, this section now includes additional clarity around
situations where covered entities work with partners that use independent contractors to
provide a benefit. For example, a participating entity need not list the names of individual
independent contractor(s) (such as a delivery person); it need only provide the name of the service
provider partner.
IV. Consent
Participating entities must obtain a consumer’s affirmative express consent prior to any
collection, disclosure, or use of consumer health information permitted under Section I. Consent
adds an important layer of protection and consumer control within the framework by permitting
the individual consumer to decide whether or how their health information will be collected,
disclosed, or used.
These provisions are drafted to require consumer consent for specific collections and uses of
consumer health information, as opposed to a simple blanket consent for a host of possible uses.
It also includes important consumer rights to revoke consent later on.
It is important to note that nothing in this section allows “consent” to override any of the
categorical prohibitions and obligations in Section I. For example, a person cannot consent
to being discriminated against, to having their data used or shared for prohibited secondary
purposes, or to being subjected to a pay-for-privacy scheme.
A. Elements of Consent
In addition to the obligations for participating entities in Section I, before a participating entity may
collect, disclose, or use consumer health information:
1. A participating entity must obtain affirmative express consent from a consumer;
2. A participating entity must seek additional consent for any new collection, disclosure, or use of
consumer health information outside the scope of any previous consumer consent;
3. A participating entity may seek to obtain affirmative express consent from a consumer for
continued, ongoing, or periodic collection, disclosure or use of consumer health information
when both the purpose and intended use of consumer health information is the same for every
instance of collection, disclosure, or use; and
4. Affirmative express consent shall be freely given and nonconditioned.
23Proposed Consumer Privacy Framework for Health Data
B. Revocation of Consent
1. A participating entity collecting, disclosing, or using consumer health information must
provide consumers with the ability to revoke consent.
2. A participating entity must stop the collection, disclosure, or use of health information once a
consumer has revoked consent.
We received numerous comments regarding the framework’s consent provision, and recognize
that questions around consent and its continued applicability and utility are difficult. While this
framework is designed to move beyond existing consent-centric regimes by placing real limits
around the collection, disclosure, and use of consumer health information, there are instances
where consumers’ control of their data matters. Given the sensitivity of the covered health
information protected by this framework, consumers must consent before their health data is
collected, disclosed, or used.
Additionally, we received comments and questions regarding the frequency of consent required
under this section. To address this, we added additional clarifications that make it clear that
a single consent is sufficient for continued, ongoing, or periodic collection, disclosure, or use
of consumer health information, so long as the purpose and intended use of consumer health
information is the same for every instance. Consumers and participating entities should not be
overburdened with redundant consent requests.
V. Exceptions
Nothing in this framework shall limit participating entities from:
1. Engaging in practices that use consumer health information when necessary for archiving
purposes in the public interest, scientific or historical research purposes, or statistical
purposes that adhere to commonly accepted ethical standards and laws:
a. With affirmative express consent from a consumer;
b. Provided that the research has been reviewed and received written approval by a privacy
review board; or
c. If the research uses aggregated health data, provided that:
i. A participating entity may use aggregated health data for research without consumer
consent only after it:
24Proposed Consumer Privacy Framework for Health Data
(A) Determines that the aggregated health data to be used only relates to a group
or category of individuals or devices and does not identify and is not linked or
reasonably linkable to any individual;
(B) Documents the methods and results of the analysis that justify such
determination; and
(C) Produces a publicly available statement explaining the participating entity’s
practices regarding the general methods used for aggregating consumer health
information;
d. If the research uses de-identified health data, provided that:
i. A participating entity may use de-identified health data for research without consumer
consent only after it determines that the data is not individually identifiable. This
determination shall be made by a person with appropriate knowledge of and experience
with generally accepted statistical and scientific principles and methods for rendering
information not individually identifiable, who:
(A) Applying such principles and methods, determines that the risk is very small
that the de-identified health data could be used, alone or in combination with
other reasonably available information, by an anticipated recipient to identify an
individual who is a subject of the information;
(B) Documents the methods and results of the analysis that justify such
determination; and
(C) Produces a publicly available statement explaining the participating entity’s
practices regarding the general methods used for rendering consumer health
information not individually identifiable.
2. Engaging in commercial, academic, or research practices that use only publicly available
consumer health information.
3. Using or disclosing consumer health information to a medical professional or healthcare
provider without consent if that participating entity, in good faith:
a. Believes that an emergency involving danger of death or serious physical injury to any
person requires use or disclosure relating to the emergency; and
b. Believes that the recipient of this information is in a position to address, rectify, or prevent
the emergency; and
c. If a participating entity uses this emergency exception, it shall promptly notify the
consumer whose health information was disclosed.
25Proposed Consumer Privacy Framework for Health Data
4. Engaging in practices that use consumer health information when necessary and solely for the
purposes of:
a. Detecting and preventing security incidents, identity theft or fraud, or protecting against
malicious or deceptive activity;
b. Performing system maintenance, diagnostics, debugging, or error repairs to ensure or
update the functionality of a product or service;
c. Complying with a federal, state, or local law, rule, or other applicable legal requirement,
including disclosures pursuant to a court order, subpoena, summons, or other properly
executed compulsory process; or
d. Addressing health misinformation or moderating content or accounts to prevent harm to
consumers.
5. Collecting, disclosing, or using data:
a. About an individual in the course of the individual’s employment or application for
employment (including on a contract or temporary basis), provided that such data is
retained or used by the participating entity or the participating entity’s service provider
solely for purposes necessary for the individual’s employment or application for
employment;
b. That is emergency contact information for an individual who is an employee, contractor, or
job applicant of the participating entity, provided that such data is retained or used by the
participating entity or the participating entity’s service provider solely for the purpose of
having an emergency contact for such individual on file; or
c. About an individual (or a relative of an individual) who is an employee or former employee
of the participating entity for the purpose of administering benefits to which such
individual or relative is entitled on the basis of the individual’s employment with the
participating entity, provided that such data is retained or used by the participating entity
or the participating entity’s service provider solely for the purpose of administering such
benefits.
6. Engaging in limited commercial product development:
a. With affirmative express consent from a consumer for this specific use, provided that it:
i. Uses aggregated health data or de-identified health data;
ii. Complies with the provisions of the “Prohibitions on the Use of Consumer Health
Information to Harm or Discriminate Against Consumers” section of this framework;
26You can also read
